The Web Security Mailing List

"DNSSec (Domain
Name System Security Extension), which uses digital signatures to guard
against forged requests, offers a means of making internet naming
systems more secure. But even 15 years after the standard was developed
its adoption remains low.

Mockapetris blames problems in making the technology easy to deploy,
delays in developing DNSSec-aware apps, and political wrangles in
holding back adoption of the technology. Arguments about whether or not
to give VeriSign the role of a trusted third party signing root keys
have acted as a roadblock but Mockapetris reckons difficulties in
making the technology easy to apply are the greatest obstacle to its
deployment.

"There were five years of good work in there to roll out the
technology but on top of that we've had 10 years of political and
technical dithering," Mockapetris said.

Only a massive blockbuster attack or applications that require
DNSSec are likely to spur adoption of the technology, which has never
really got out of first gear."